Skip to content
Ransomware group

Sicarii

Sicarii is a ransomware-as-a-service (RaaS) operation first observed in late 2025 / December 2025.

Profile source: Mallory opens in a new tab

Sicarii

Family profile

Sicarii is a ransomware-as-a-service (RaaS) operation first observed in late 2025 / December 2025. It is a functional ransomware threat with extortion, data theft, reconnaissance, persistence, and destructive capabilities, but multiple reports describe it as immature and operationally anomalous. Check Point assessed that Sicarii presents itself as an Israeli/Jewish operation using Hebrew language, historical symbols, and ideological references, while much of its underground activity and affiliate recruitment is conducted in Russian; the Hebrew content reportedly appears machine-translated or non-native, suggesting likely false-flag or performative identity signaling. Sicarii has also been described in reporting as being used by pro-Iranian or pro-Palestinian aligned operators in the broader Middle East ecosystem, and Halcyon reported that in March 2026 its administrator redirected operators toward Baqiyat 313 Locker (BQTlock) due to affiliate demand.

Technically, Sicarii encrypts files using AES-GCM / AES-256-GCM and appends the .sicarii extension. The malware has been reported to generate a new RSA key pair during execution and then discard the private key, a critical cryptographic flaw that makes decryption permanently impossible for victims and operators alike and renders ransom payment futile. This key-handling defect is one of the most consistently reported characteristics of the malware.

Reported behavior includes anti-virtualization / sandbox checks, single-instance execution via mutex, copying itself to a temp directory under an svchost-like randomized filename, and repeated connectivity checks to google.com/generate_204. Sicarii performs host and network reconnaissance, including ARP-based discovery and scanning for exposed RDP services. It steals data including system credentials, browser data, registry hives, and application data from services such as Discord, Slack, Telegram, WhatsApp, Office, Roblox, and Atomic Wallet; some reporting also mentions cryptocurrency wallet theft generally. Stolen data is packaged into collected_data.zip and exfiltrated via file.io. Persistence mechanisms reported include registry Run keys, service creation, and creation of local user accounts with hardcoded credentials such as SysAdmin / Password123!. Some reporting also states it attempts to create a new AWS user without checking whether AWS is installed.

For lateral movement or follow-on compromise, Sicarii has been associated with exploitation of Fortinet devices, including references to CVE-2025-64446. It also includes geo-fencing intended to avoid execution on Israeli systems by checking time zone, keyboard layout, and Israeli IP indicators. A destructive component has been reported as well: startup batch scripts such as destruct.bat that corrupt bootloader files, invoke disk-wiping related commands, and force immediate shutdown.

Targeting reporting is mixed but consistently places Sicarii in the Middle East, Turkey, and Africa region, with at least one reported US-based victim. Check Point reporting also cited operator claims of targeting small businesses. Known high-confidence indicators directly mentioned in the content include the .sicarii file extension, collected_data.zip, exfiltration via file.io, temp-file naming in the form svchost_{random}.exe, the WinDefender service name, the SysAdmin account with password Password123!, and connectivity checks to google.com/generate_204.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Pgp

18 total
  • -----BEGIN PGP PUBLIC KEY BLOCK-----
  • Comment: User ID: Sicarii <sic@ar.ii>
  • Comment: Valid from: 11/30/25 7:48 PM
  • Comment: Valid until: 11/30/28 12:00 PM
  • Comment: Type: 255-bit EdDSA (secret key available)
  • Comment: Usage: Signing, Encryption, Certifying User IDs
  • Comment: Fingerprint: 963B 6905 B58F 9673 A08F 9CDD 78DD 49C8 9B96 3C1D
  • mDMEaSzl7xYJKwYBBAHaRw8BAQdARyoHoP7vQb3CfBsNHNkoZtogxV8uFK2FG8OB
  • VxdVPfm0E1NpY2FyaWkgPHNpY0Bhci5paT6IlgQTFgoAPhYhBJY7aQW1j5ZzoI+c
  • 3XjdScibljwdBQJpLOXvAhsDBQkFpH4hBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA

Tox

1 total
  • 2368C617830435DD74C41323BD684F04627A8047F92A885419E0191AC21F6D49733E4FF2C60E

MITRE ATT&CK

Sicarii in ATT&CK

147 distinct techniques

Techniques

147 techniques
T1486 Data Encrypted for Impact T1204.002 Malicious File T1071 Application Layer Protocol T1133 External Remote Services T1566 Phishing T1203 Exploitation for Client Execution T1189 Drive-by Compromise T1485 Data Destruction T1078 Valid Accounts T1190 Exploit Public-Facing Application T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link T1566.003 Phishing: Spearphishing Voice T1047 Windows Management Instrumentation T1053.005 Scheduled Task/Job: Scheduled Task T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.005 Command and Scripting Interpreter: Visual Basic T1106 Native API T1129 Shared Modules T1204 User Execution T1204.001 User Execution: Malicious Link T1098 Account Manipulation T1505.004 Server Software Component: IIS Components T1542.003 Pre-OS Boot: Bootkit T1543.003 Create or Modify System Process: Windows Service T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1574.001 Hijack Execution Flow: DLL Search Order Hijacking T1068 Exploitation for Privilege Escalation T1134 Access Token Manipulation T1134.002 Access Token Manipulation: Create Process with Token T1543 Create or Modify System Process T1027 Obfuscated Files or Information T1027.002 Obfuscated Files or Information: Software Packing T1027.005 Obfuscated Files or Information: Indicator Removal from Tools T1027.007 Obfuscated Files or Information: Dynamic API Resolution T1027.009 Obfuscated Files or Information: Embedded Payloads T1027.013 Obfuscated Files or Information: Encrypted/Encoded File T1036 Masquerading T1036.003 Masquerading: Rename Legitimate Utilities T1036.004 Masquerading: Masquerade Task or Service T1036.005 Masquerading: Match Legitimate Name or Location T1036.008 Masquerading: Masquerade File Type T1055.001 Process Injection: DLL Injection T1070 Indicator Removal T1070.003 Indicator Removal: Clear Command History T1070.004 Indicator Removal: File Deletion T1070.006 Indicator Removal: Timestomp T1140 Deobfuscate/Decode Files or Information T1202 Indirect Command Execution T1218 System Binary Proxy Execution T1218.005 System Binary Proxy Execution: Mshta T1218.010 System Binary Proxy Execution: Regsvr32 T1218.011 System Binary Proxy Execution: Rundll32 T1220 XSL Script Processing T1221 Template Injection T1222 File and Directory Permissions Modification T1497.001 Virtualization/Sandbox Evasion: System Checks T1497.003 Virtualization/Sandbox Evasion: Time Based Checks T1548 Abuse Elevation Control Mechanism T1553.002 Subvert Trust Controls: Code Signing T1562 Impair Defenses T1562.001 Impair Defenses: Disable or Modify Tools T1562.004 Impair Defenses: Disable or Modify System Firewall T1564.001 Hidden Artifacts: Hidden Files and Directories T1574.013 Hijack Execution Flow: KernelCallbackTable T1620 Reflective DLL Injection T1622 Debugger Evasion T1003 OS Credential Dumping T1056 Input Capture T1056.001 Input Capture: Keylogging T1110.003 Brute Force: Password Spraying T1539 Steal Web Session Cookie T1552 Unsecured Credentials T1552.001 Unsecured Credentials: Credentials In Files T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning T1007 System Service Discovery T1010 Application Window Discovery T1012 Query Registry T1016 System Network Configuration Discovery T1033 System Owner/User Discovery T1046 Network Service Discovery T1049 System Network Connections Discovery T1057 Process Discovery T1082 System Information Discovery T1083 File and Directory Discovery T1087 Account Discovery T1087.002 Account Discovery: Domain Account T1124 Time Discovery T1135 Network Share Discovery T1518 Software Discovery T1614 System Location Discovery T1614.001 System Location Discovery: System Language Discovery T1021.001 Remote Services: Remote Desktop Protocol T1021.002 Remote Services: SMB/Windows Admin Shares T1021.004 Remote Services: SSH T1534 Internal Spearphishing T1005 Data from Local System T1074 Data Staged T1074.001 Data Staged: Local Data Staging T1114 Email Collection T1560 Archive Collected Data T1560.001 Archive Collected Data: Archive via Utility T1560.002 Archive Collected Data: Archive via Library T1560.003 Archive Collected Data: Archive via Custom Method T1041 Exfiltration Over C2 Channel T1048.003 Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage T1001.003 Data Obfuscation: Protocol or Service Impersonation T1008 Fallback Channels T1071.001 Application Layer Protocol: Web Protocols T1090.001 Proxy: Internal Proxy T1090.002 Proxy: External Proxy T1102.002 Web Service: Bidirectional Communication T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132.001 Data Encoding: Standard Encoding T1571 Non-Standard Port T1573 Encrypted Channel T1573.001 Encrypted Channel: Symmetric Cryptography T1489 Service Stop T1490 Inhibit System Recovery T1491.001 Defacement: Internal Defacement T1529 System Shutdown/Reboot T1561 Disk Wipe T1561.001 Disk Wipe: Disk Content Wipe T1561.002 Disk Wipe: Disk Structure Wipe T1583.001 Acquire Infrastructure: Domains T1583.004 Acquire Infrastructure: Server T1583.006 Acquire Infrastructure: Web Services T1584.001 Compromise Infrastructure: Domains T1584.004 Compromise Infrastructure: Server T1585.001 Establish Accounts: Social Media Accounts T1585.002 Establish Accounts: Email Accounts T1587.001 Develop Capabilities: Malware T1587.002 Develop Capabilities: Code Signing Certificates T1588.002 Obtain Capabilities: Tool T1588.003 Obtain Capabilities: Code Signing Certificates T1588.004 Obtain Capabilities: Digital Certificates T1608.001 Stage Capabilities: Upload Malware T1608.002 Stage Capabilities: Upload Tool T1589.002 Gather Victim Identity Information: Email Addresses T1591 Gather Victim Org Information T1591.004 Gather Victim Org Information: Identify Roles T1593.001 Search Open Websites/Domains: Social Media

Reporting

Research mentioning Sicarii

Jun 16
Cysecurity News

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

The team behind Sicarii built a system that made fresh encryption keys on each launch - yet wiped the matching private key right after.

Jun 2
Register Security

'Dumbass' criminal breaks the 'first rule of ransomware club'

Another coding error committed by Sicarii malware developers makes it nearly impossible for companies to recover their files: the Sicarii encryptor generates a new cryptographic key pair during every execution - but then discards the private key...

Apr 6
The Hacker News

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

In March 2026, Halcyon also revealed that the administrator of Sicarii ransomware, Uke, urged pro-Iranian operators to use Baqiyat 313 Locker (aka BQTlock) due to the influx of affiliate requests.

Mar 20
Centripetal Threat Research

Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

BaqiyatLock and Sicarii deploy pseudo-ransomware designed to destroy data rather than hold it for ransom.

Mar 5
Halcyon Attacks Lookout

Pro-Iranian Ransomware Operators Tactical Shift from Sicarii to BQTLock

"...move ransomware activity from Sicarii ransomware to Baqiyat 313 Locker..."

Mar 3
Halcyon Attacks Lookout

Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates

Sicarii is a RaaS operation that surfaced in December 2025 with a critical flaw in its encryption: the malware discards its own keys after encrypting files, making decryption permanently impossible for both victims and operators, rendering any ransom payment futile.

Mar 2
Zdnet Zero Day

Why encrypted backups may fail in an AI-driven ransomware era | ZDNET

In January 2026, the Halcyon Ransomware Research Center ... discovered a critical flaw in a ransomware variant called Sicarii. This variant of malware correctly generates a new RSA key to encrypt the targeted data... But then, the software deletes the key.

Feb 2
Securitysenses

February 2, 2026 Cyber Threat Intelligence Briefing | SecuritySenses

The Sicarii ransomware strain has introduced a critical flaw that renders data recovery impossible for victims.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.